Shadow SaaS: How to Combat Shadow IT in Your Organization

Shadow IT is the unauthorized use of software, apps, and devices outside of your organization's ownership and control.

Employees often begin using shadow IT to create more efficient ways of performing routine tasks that can be better automated or streamlined to reduce their workload. Some employers are quick to embrace out-of-the-box thinking and the solutions that have been implemented, but many other employers are concerned that their lack of oversight may lead to holes being drilled into their security and seek answers on how to combat shadow IT usage in their organization.

You are not alone if you fall into the second camp and are concerned about threats to your data and systems. Learning how to manage shadow IT is just one step in mitigating potential threats. It’s worth remembering that your team is going off books for their software solutions for a reason. Before trying to figure out how to eliminate shadow IT, it is worth noting that your team is trying to solve a pain point that exists, either for themselves as an individual or for their department. With that in mind, let's look more into what is shadow IT and explain why its use is growing.

The Growth of Shadow IT

The rise of cloud-based services has made powerful software easily accessible from anywhere worldwide, with just a download and a simple monthly premium. In many cases, a free, well-tooled version will provide the employee with everything they need. Employees find it convenient to bypass official channels and use the tools that they believe make their roles easier. Reduced friction in their workflow can lead to improvements in their output. Examples of useful software often implemented without an IT department's approval include:

• Slack: Widely used for team communication and collaboration. Employees often use Slack without IT department approval, which can lead to security risks. In 2022, Slack announced that its GitHub repository (itself a cloud-based platform) had been hacked and internal code repositories had been stolen.

• Dropbox: A cloud storage service commonly used by employees for easy file storage and transfer. Using Dropbox without proper IT oversight can lead to data fragmentation and security vulnerabilities, as data is stored outside of the organization. In April 2024, Dropbox announced a data breach had occurred in part of its ecosystem.

• Trello: Employees often use Trello as a project management tool thanks to its visual ease for managing boards, lists, and cards. This can result in inconsistencies in project tracking and data security issues. Trello announced that user information had been exposed in January 2024. 

• Zoom: Many organizations have adopted Zoom as their official video conferencing tool, however some team members may utilize personal accounts, rather than IT managed accounts, which can cause security vulnerabilities. In April 2021, hidden flaws were discovered that allowed hackers to take control of a PC or Mac if running Zoom. 

• Google Workspace (formerly G Suite): Google Docs, Sheets, and Drive are fantastic tools for document creation, collaboration, and storage. Even if not authorized by the in-house IT team, these tools are often utilized due to their ease of access and collaborative features. However, this can lead to data being stored outside the organization’s controlled environment, posing security and compliance risks​. Google Workspace has not been directly hacked, but reports suggest that hackers could use a set of novel attack methods to gain control of a network if they compromise a single PC with Google Workspace. 

How to Eliminate Shadow IT

Each of the examples above has been compromised by hackers at one point or another, in one manner or another. With that in mind, businesses are rightly concerned about their data security when they discover that their employees are potentially sharing or storing internal data on outside platforms, leading them to try to figure out how to prevent shadow IT from being implemented on their system.

However, almost all large businesses now utilize Service-as-a-Service (SaaS) software across their sites, making it easy to connect distant sites with useful and adaptable software. This widespread adoption of cloud computing means that the line between approved and unapproved tools can blur, making it harder to eliminate shadow IT completely. Instead, organizations should focus on how to mitigate shadow IT and the risks associated with unauthorized software rather than on how to prevent shadow IT entirely, although these aims can go hand in hand. 

‍

How to Manage Shadow IT

According to IDC, 70% of spending on cloud-based solutions comes from the various departments or divisions within a company that are directly responsible for specific core business functions rather than through IT department purchases. Shadow SaaS is the result. 

The first step in figuring out how to manage shadow IT is to establish how much of it is already present in your organization. Visibility on your SaaS subscriptions can become murky, with siloed departments and inefficient communication between business areas. To effectively manage Shadow IT, organizations need to implement robust discovery tools that can detect unauthorized applications within the network. This can include financial audits and employee feedback mechanisms to help a business understand what tools have been implemented and why employees resort to these tools. Businesses can reduce their reliance on unauthorized applications by addressing their needs and providing approved alternatives.

While preventing Shadow IT might be the most desirable outcome for your organization, this may not be possible if your staff and management teams are free to implement solutions to fit their needs. However, educating employees about risks, establishing clear IT policies, and providing training programs can help employees understand the importance of using approved tools and the potential consequences of unauthorized software use. 

Additionally, providing a range of sanctioned SaaS applications that meet diverse needs can deter employees from seeking unofficial solutions.

Mitigating Risks Associated with Shadow IT

Once you have gained visibility over your organization's SaaS inventory, a clear understanding of what Shadow IT has crept into your organization, and clear guidelines and rules on which software is authorized, it’s time to manage and mitigate the risks associated with Shadow SaaS. 

Enhancing security protocols and implementing data loss prevention (DLP) solutions are critical steps in mitigating the risks of Shadow IT. By monitoring shadow IT usage and controlling data flows, organizations can ensure that sensitive information remains within approved channels. Effective integration and API management can help manage the interaction between approved and unapproved applications, reducing security risks while maintaining functionality.

Conclusion

To truly understand how to combat shadow IT, a balanced approach that includes prevention, management, mitigation, and, where possible, elimination strategies must be established. Organizations can effectively combat the challenges posed by shadow IT by educating employees, developing clear policies, providing approved alternatives, utilizing discovery tools, and enhancing security measures. 

By understanding these common examples and their associated risks, organizations can better address the question of how to mitigate shadow IT risk and implement strategies to manage and mitigate such software effectively. Audits and discovery tools can help identify and monitor unauthorized software, while education and clear policies can prevent their use. Ultimately, a proactive and balanced approach will help organizations maintain control over their IT environment while allowing employees the flexibility to use the tools they need to succeed.